phorphiex | 7562ef3687cfc6297be238ff05849badeabe8963c3952f1cf40b2d9dffcce67f

General

Target

7562ef3687cfc6297be238ff05849badeabe8963c3952f1cf40b2d9dffcce67fN.exe
Size

1.8MB
MD5

08c2b2e490868981fa263c82709b2d80
SHA1

7d6dcc0e3ceb2437b6fdc4516196ef1355220c50
SHA256

7562ef3687cfc6297be238ff05849badeabe8963c3952f1cf40b2d9dffcce67f
SHA512

50dabc7ba7432b11bcdd379a6eed458f10c646f41e7c0a7ec107aaa0c14ffe53358df75a382146c6883f07b2815cb502a0a784dcc217a00e0ac2dc0285c2f66c
SSDEEP

49152:myIO6XrnRNm5zuXp7jRG6wLvSpDiTEsnfDB1:XIOqrRXG6wL6U

Score

10^/10

phorphiex discovery evasion loader persistence trojan worm

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.66/

Wallets

0xAa3ea4838e8E3F6a1922c6B67E3cD6efD1ff175b

THRUoPK7oYqF7YyKZJvPYwTH35JsPZVPto

1Hw9tx4KyTq4oRoLVhPb4hjDJcLhEa4Tn6

qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut

XtxFdsKkRN3oVDXtN2ipcHeNi87basT2sL

LXMNcn9D8FQKzGNLjdSyR9dEM8Rsh9NzyX

rwn7tb5KQjXEjH42GgdHWHec5PPhVgqhSH

ARML6g7zynrwUHJbFJCCzMPiysUFXYBGgQ

48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg

3PL7YCa4akNYzuScqQwiSbtTP9q9E9PLreC

3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3

D9AJWrbYsidS9rAU146ifLRu1fzX9oQYSH

t1gvVWHnjbGTsoWXEyoTFojc2GqEzBgvbEn

bnb1cgttf7t5hu7ud3c436ufhcmy59qnkd09adqczd

bc1q0fusmmgycnhsd5cadsuz2hk8d4maausjfjypqg

bitcoincash:qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut

GAUCC7ZBSU2KJMHXOZD6AP5LOBGKNDPCDNRYP2CO2ACR63YCSUBNT5QE

Attributes

mutex
tre5eer
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36

Signatures

Phorphiex payload 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\903E.exe	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sylsplvc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sylsplvc.exe

Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

903E.exesylsplvc.exe1090932699.exe3029823720.exe

pid process

2924 903E.exe
2768 sylsplvc.exe
1492 1090932699.exe
348 3029823720.exe

pid	process
2924	903E.exe
2768	sylsplvc.exe
1492	1090932699.exe
348	3029823720.exe

Loads dropped DLL 4 IoCs

Processes:

7562ef3687cfc6297be238ff05849badeabe8963c3952f1cf40b2d9dffcce67fN.exesylsplvc.exe

pid	process
2156	7562ef3687cfc6297be238ff05849badeabe8963c3952f1cf40b2d9dffcce67fN.exe
2156	7562ef3687cfc6297be238ff05849badeabe8963c3952f1cf40b2d9dffcce67fN.exe
2768	sylsplvc.exe
2768	sylsplvc.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sylsplvc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sylsplvc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

903E.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sylsplvc.exe"	903E.exe

Drops file in Windows directory 2 IoCs

Processes:

903E.exe

description ioc process

File created C:\Windows\sylsplvc.exe 903E.exe
File opened for modification C:\Windows\sylsplvc.exe 903E.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\sylsplvc.exe	903E.exe
File opened for modification	C:\Windows\sylsplvc.exe	903E.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

7562ef3687cfc6297be238ff05849badeabe8963c3952f1cf40b2d9dffcce67fN.exe903E.exesylsplvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7562ef3687cfc6297be238ff05849badeabe8963c3952f1cf40b2d9dffcce67fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	903E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sylsplvc.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

1090932699.exe

pid process

1492 1090932699.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1090932699.exe

description pid process

Token: SeDebugPrivilege 1492 1090932699.exe

pid	process
1492	1090932699.exe

description	pid	process
Token: SeDebugPrivilege	1492	1090932699.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

7562ef3687cfc6297be238ff05849badeabe8963c3952f1cf40b2d9dffcce67fN.exe903E.exesylsplvc.exe1090932699.execmd.execmd.exe

description	pid	process	target process
PID 2156 wrote to memory of 2924	2156	7562ef3687cfc6297be238ff05849badeabe8963c3952f1cf40b2d9dffcce67fN.exe	903E.exe
PID 2156 wrote to memory of 2924	2156	7562ef3687cfc6297be238ff05849badeabe8963c3952f1cf40b2d9dffcce67fN.exe	903E.exe
PID 2156 wrote to memory of 2924	2156	7562ef3687cfc6297be238ff05849badeabe8963c3952f1cf40b2d9dffcce67fN.exe	903E.exe
PID 2156 wrote to memory of 2924	2156	7562ef3687cfc6297be238ff05849badeabe8963c3952f1cf40b2d9dffcce67fN.exe	903E.exe
PID 2924 wrote to memory of 2768	2924	903E.exe	sylsplvc.exe
PID 2924 wrote to memory of 2768	2924	903E.exe	sylsplvc.exe
PID 2924 wrote to memory of 2768	2924	903E.exe	sylsplvc.exe
PID 2924 wrote to memory of 2768	2924	903E.exe	sylsplvc.exe
PID 2768 wrote to memory of 1492	2768	sylsplvc.exe	1090932699.exe
PID 2768 wrote to memory of 1492	2768	sylsplvc.exe	1090932699.exe
PID 2768 wrote to memory of 1492	2768	sylsplvc.exe	1090932699.exe
PID 2768 wrote to memory of 1492	2768	sylsplvc.exe	1090932699.exe
PID 1492 wrote to memory of 628	1492	1090932699.exe	cmd.exe
PID 1492 wrote to memory of 628	1492	1090932699.exe	cmd.exe
PID 1492 wrote to memory of 628	1492	1090932699.exe	cmd.exe
PID 1492 wrote to memory of 2072	1492	1090932699.exe	cmd.exe
PID 1492 wrote to memory of 2072	1492	1090932699.exe	cmd.exe
PID 1492 wrote to memory of 2072	1492	1090932699.exe	cmd.exe
PID 628 wrote to memory of 1672	628	cmd.exe	reg.exe
PID 628 wrote to memory of 1672	628	cmd.exe	reg.exe
PID 628 wrote to memory of 1672	628	cmd.exe	reg.exe
PID 2072 wrote to memory of 1380	2072	cmd.exe	schtasks.exe
PID 2072 wrote to memory of 1380	2072	cmd.exe	schtasks.exe
PID 2072 wrote to memory of 1380	2072	cmd.exe	schtasks.exe
PID 2768 wrote to memory of 348	2768	sylsplvc.exe	3029823720.exe
PID 2768 wrote to memory of 348	2768	sylsplvc.exe	3029823720.exe
PID 2768 wrote to memory of 348	2768	sylsplvc.exe	3029823720.exe
PID 2768 wrote to memory of 348	2768	sylsplvc.exe	3029823720.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7562ef3687cfc6297be238ff05849badeabe8963c3952f1cf40b2d9dffcce67fN.exe
"C:\Users\Admin\AppData\Local\Temp\7562ef3687cfc6297be238ff05849badeabe8963c3952f1cf40b2d9dffcce67fN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156

C:\Users\Admin\AppData\Local\Temp\903E.exe
"C:\Users\Admin\AppData\Local\Temp\903E.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\sylsplvc.exe
C:\Windows\sylsplvc.exe
3⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2768

C:\Users\Admin\AppData\Local\Temp\1090932699.exe
C:\Users\Admin\AppData\Local\Temp\1090932699.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
5⤵
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
6⤵
PID:1672

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
5⤵
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\system32\schtasks.exe
schtasks /delete /f /tn "Windows Upgrade Manager"
6⤵
PID:1380

C:\Users\Admin\AppData\Local\Temp\3029823720.exe
C:\Users\Admin\AppData\Local\Temp\3029823720.exe
4⤵
- Executes dropped EXE
PID:348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZOGPI1N2\1[1]

Filesize
108KB

MD5
1fcb78fb6cf9720e9d9494c42142d885

SHA1
fef9c2e728ab9d56ce9ed28934b3182b6f1d5379

SHA256
84652bb8c63ca4fd7eb7a2d6ef44029801f3057aa2961867245a3a765928dd02

SHA512
cdf58e463af1784aea86995b3e5d6b07701c5c4095e30ec80cc901ffd448c6f4f714c521bf8796ffa8c47538bf8bf5351e157596efaa7ab88155d63dc33f7dc3

Download Submit
\Users\Admin\AppData\Local\Temp\1090932699.exe

Filesize
8KB

MD5
cb8420e681f68db1bad5ed24e7b22114

SHA1
416fc65d538d3622f5ca71c667a11df88a927c31

SHA256
5850892f67f85991b31fc90f62c8b7791afeb3c08ae1877d857aa2b59471a2ea

SHA512
baaabcc4ad5d409267a34ed7b20e4afb4d247974bfc581d39aae945e5bf8a673a1f8eacae2e6783480c8baaeb0a80d028274a202d456f13d0af956afa0110fdf

Download Submit
\Users\Admin\AppData\Local\Temp\3029823720.exe

Filesize
15KB

MD5
0c37ee292fec32dba0420e6c94224e28

SHA1
012cbdddaddab319a4b3ae2968b42950e929c46b

SHA256
981d724feebc36777e99513dc061d1f009e589f965c920797285c46d863060d1

SHA512
2b60b571c55d0441ba0cfc695f9db5cd12660ebec7effc7e893c3b7a1c6cb6149df487c31b8d748697e260cbc4af29331592b705ea9638f64a711c7a6164628b

Download Submit
\Users\Admin\AppData\Local\Temp\903E.exe

Filesize
79KB

MD5
1e8a2ed2e3f35620fb6b8c2a782a57f3

SHA1
e924ce6d147ecc8b30b7c7cad02e5c9ae09a743a

SHA256
3f16f4550826076b2c8cd7b392ee649aeb06740328658a2d30c3d2002c6b7879

SHA512
ce4dc7fdd7f81a7a127d650f9175292b287b4803d815d74b64a4e5125cff66224d75e7ecade1d9c0e42f870bdb49a78e9613b1a49675ab5bc098611b99b49ade

Download Submit
memory/1492-48-0x000000013FD30000-0x000000013FD36000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads